Cybercriminals Target Unpatched Microsoft Exchange Servers by Installing Cryptojacking Malware

Cybercriminals continue to go after unpatched Microsoft Exchange servers. A few weeks ago, Microsoft issued an alert that cybercriminals were deploying a strain of ransomware known as “DearCry” to target and exploit unpatched Exchange servers. On March 2nd, Microsoft issued a statement to its customers to install the needed security patches immediately or continue to risk state-backed hackers and cybercriminals from taking advantage of the vulnerabilities to compromise these Exchange servers. Ever since Microsoft released the information regarding the serious threat to their Exchange mail server software, a variety of threat actors have been observed targeting these exploitable servers with a range of different malware, from ransomware to exploitable web shells.

Recently, cybersecurity researchers at Sophos have reported, an unfamiliar attack attempting to use the ProxyLogon exploit to upload the malicious Monero cryptominer into various Microsoft Exchange servers. According to Sophos, the research teams stumbled across this malware while examining telemetry data. The findings determine that the attack begins with a PowerShell command. This command is used to retrieve a file ‘’ from a vulnerable server’s Outlook Web Access logon path (/owa/auth). The fake archive file runs a batch script that takes advantage of built-in windows utilities. The utilities enable the attacker to download more false archives and run more installs to deploy the previously mentioned cryptominer. The vulnerability allows cybercriminals to scan the internal intranet for available and vulnerable machines to ingest into the cryptomining network. Why exchange servers for mining? Well, according to a researcher at Sophos, the server hardware is advantageous for cryptojacking due to having higher performance when compared to a standard laptop or desktop and the likely hood of the server remaining operational throughout the day. When the miner is installed and running on an exploited server, any proof of installation is removed, while the mining process continues to run in memory.

Monero may not be as valuable as Bitcoin, but it has demonstrated to be easier to mine. It allows cybercriminals to hide their identity, making the owner of the wallet and those behind the attacks more difficult to trace. While cryptocurrency miners may not seem as harmful when compared to a loss of data or a ransomware attack, it still is a concern for organizations as it can degrade server performance, lessen the lifecycle of hardware components, and lead to other future attacks. Once cybercriminals have successfully gained access to the network, the attacker could do a lot more than just mine for cryptocurrency.

According to the Sophos researchers, they observed suspicious activity in the attacker's Monero wallet after it started receiving funds from mining on March 9, just a few days after Microsoft’s statement. The researchers concluded that attackers were quick to compromise these unpatched and vulnerable servers.

The researchers also suggested, apart from patching these servers’ vulnerabilities, is that organizations using these Microsoft Exchange servers should implement endpoint protection software on any vulnerable servers. This would potentially protect the network against any unforeseen attack that compromises the Microsoft Exchange server. To reiterate all organizations using Exchange servers must apply every critical security update to their servers as soon as possible.

Read the complete Sophos article here

For news and updates from around the world, visit

You can also reach us out on Facebook, & LinkedIn or Contact us.

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.